1/* $OpenBSD: xform.c,v 1.16 2001/08/28 12:20:43 ben Exp $ */ 2/*- 3 * The authors of this code are John Ioannidis (ji@tla.org), 4 * Angelos D. Keromytis (kermit@csd.uch.gr), 5 * Niels Provos (provos@physnet.uni-hamburg.de) and 6 * Damien Miller (djm@mindrot.org). 7 * 8 * This code was written by John Ioannidis for BSD/OS in Athens, Greece, 9 * in November 1995. 10 * 11 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 12 * by Angelos D. Keromytis. 13 * 14 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 15 * and Niels Provos. 16 * 17 * Additional features in 1999 by Angelos D. Keromytis. 18 * 19 * AES XTS implementation in 2008 by Damien Miller 20 * 21 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 22 * Angelos D. Keromytis and Niels Provos. 23 * 24 * Copyright (C) 2001, Angelos D. Keromytis. 25 * 26 * Copyright (C) 2008, Damien Miller 27 * 28 * Permission to use, copy, and modify this software with or without fee 29 * is hereby granted, provided that this entire notice is included in 30 * all copies of any software which is or includes a copy or 31 * modification of this software. 32 * You may use this code under the GNU public license if you so wish. Please 33 * contribute changes back to the authors under this freer than GPL license 34 * so that we may further the use of strong encryption without limitations to 35 * all. 36 * 37 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 38 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 39 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 40 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 41 * PURPOSE. 42 */ 43 44#include <sys/cdefs.h> 45__FBSDID("$FreeBSD$"); 46 47#include <sys/param.h> 48#include <sys/systm.h> 49#include <sys/malloc.h> 50#include <sys/sysctl.h> 51#include <sys/errno.h> 52#include <sys/time.h> 53#include <sys/kernel.h> 54#include <machine/cpu.h> 55 56#include <crypto/blowfish/blowfish.h> 57#include <crypto/des/des.h> 58#include <crypto/rijndael/rijndael.h> 59#include <crypto/camellia/camellia.h> 60#include <crypto/sha1.h> 61 62#include <opencrypto/cast.h> 63#include <opencrypto/deflate.h> 64#include <opencrypto/rmd160.h> 65#include <opencrypto/skipjack.h> 66 67#include <sys/md5.h> 68 69#include <opencrypto/cryptodev.h> 70#include <opencrypto/xform.h> 71 72static int null_setkey(u_int8_t **, u_int8_t *, int); 73static int des1_setkey(u_int8_t **, u_int8_t *, int); 74static int des3_setkey(u_int8_t **, u_int8_t *, int); 75static int blf_setkey(u_int8_t **, u_int8_t *, int); 76static int cast5_setkey(u_int8_t **, u_int8_t *, int); 77static int skipjack_setkey(u_int8_t **, u_int8_t *, int); 78static int rijndael128_setkey(u_int8_t **, u_int8_t *, int); 79static int aes_xts_setkey(u_int8_t **, u_int8_t *, int); 80static int cml_setkey(u_int8_t **, u_int8_t *, int); 81 82static void null_encrypt(caddr_t, u_int8_t *); 83static void des1_encrypt(caddr_t, u_int8_t *); 84static void des3_encrypt(caddr_t, u_int8_t *); 85static void blf_encrypt(caddr_t, u_int8_t *); 86static void cast5_encrypt(caddr_t, u_int8_t *); 87static void skipjack_encrypt(caddr_t, u_int8_t *); 88static void rijndael128_encrypt(caddr_t, u_int8_t *); 89static void aes_xts_encrypt(caddr_t, u_int8_t *); 90static void cml_encrypt(caddr_t, u_int8_t *); 91 92static void null_decrypt(caddr_t, u_int8_t *); 93static void des1_decrypt(caddr_t, u_int8_t *); 94static void des3_decrypt(caddr_t, u_int8_t *); 95static void blf_decrypt(caddr_t, u_int8_t *); 96static void cast5_decrypt(caddr_t, u_int8_t *); 97static void skipjack_decrypt(caddr_t, u_int8_t *); 98static void rijndael128_decrypt(caddr_t, u_int8_t *); 99static void aes_xts_decrypt(caddr_t, u_int8_t *); 100static void cml_decrypt(caddr_t, u_int8_t *); 101 102static void null_zerokey(u_int8_t **); 103static void des1_zerokey(u_int8_t **); 104static void des3_zerokey(u_int8_t **); 105static void blf_zerokey(u_int8_t **); 106static void cast5_zerokey(u_int8_t **); 107static void skipjack_zerokey(u_int8_t **); 108static void rijndael128_zerokey(u_int8_t **); 109static void aes_xts_zerokey(u_int8_t **); 110static void cml_zerokey(u_int8_t **); 111 112static void aes_xts_reinit(caddr_t, u_int8_t *); 113 114static void null_init(void *); 115static int null_update(void *, u_int8_t *, u_int16_t); 116static void null_final(u_int8_t *, void *); 117static int MD5Update_int(void *, u_int8_t *, u_int16_t); 118static void SHA1Init_int(void *); 119static int SHA1Update_int(void *, u_int8_t *, u_int16_t); 120static void SHA1Final_int(u_int8_t *, void *); 121static int RMD160Update_int(void *, u_int8_t *, u_int16_t); 122static int SHA256Update_int(void *, u_int8_t *, u_int16_t); 123static int SHA384Update_int(void *, u_int8_t *, u_int16_t); 124static int SHA512Update_int(void *, u_int8_t *, u_int16_t); 125 126static u_int32_t deflate_compress(u_int8_t *, u_int32_t, u_int8_t **); 127static u_int32_t deflate_decompress(u_int8_t *, u_int32_t, u_int8_t **); 128 129MALLOC_DEFINE(M_XDATA, "xform", "xform data buffers"); 130 131/* Encryption instances */ 132struct enc_xform enc_xform_null = { 133 CRYPTO_NULL_CBC, "NULL", 134 /* NB: blocksize of 4 is to generate a properly aligned ESP header */ 135 NULL_BLOCK_LEN, 0, 256, /* 2048 bits, max key */ 136 null_encrypt, 137 null_decrypt, 138 null_setkey, 139 null_zerokey, 140 NULL 141}; 142 143struct enc_xform enc_xform_des = { 144 CRYPTO_DES_CBC, "DES", 145 DES_BLOCK_LEN, 8, 8, 146 des1_encrypt, 147 des1_decrypt, 148 des1_setkey, 149 des1_zerokey, 150 NULL 151}; 152 153struct enc_xform enc_xform_3des = { 154 CRYPTO_3DES_CBC, "3DES", 155 DES3_BLOCK_LEN, 24, 24, 156 des3_encrypt, 157 des3_decrypt, 158 des3_setkey, 159 des3_zerokey, 160 NULL 161}; 162 163struct enc_xform enc_xform_blf = { 164 CRYPTO_BLF_CBC, "Blowfish", 165 BLOWFISH_BLOCK_LEN, 5, 56 /* 448 bits, max key */, 166 blf_encrypt, 167 blf_decrypt, 168 blf_setkey, 169 blf_zerokey, 170 NULL 171}; 172 173struct enc_xform enc_xform_cast5 = { 174 CRYPTO_CAST_CBC, "CAST-128", 175 CAST128_BLOCK_LEN, 5, 16, 176 cast5_encrypt, 177 cast5_decrypt, 178 cast5_setkey, 179 cast5_zerokey, 180 NULL 181}; 182 183struct enc_xform enc_xform_skipjack = { 184 CRYPTO_SKIPJACK_CBC, "Skipjack", 185 SKIPJACK_BLOCK_LEN, 10, 10, 186 skipjack_encrypt, 187 skipjack_decrypt, 188 skipjack_setkey, 189 skipjack_zerokey, 190 NULL 191}; 192 193struct enc_xform enc_xform_rijndael128 = { 194 CRYPTO_RIJNDAEL128_CBC, "Rijndael-128/AES", 195 RIJNDAEL128_BLOCK_LEN, 8, 32, 196 rijndael128_encrypt, 197 rijndael128_decrypt, 198 rijndael128_setkey, 199 rijndael128_zerokey, 200 NULL 201}; 202 203struct enc_xform enc_xform_aes_xts = { 204 CRYPTO_AES_XTS, "AES-XTS", 205 RIJNDAEL128_BLOCK_LEN, 32, 64, 206 aes_xts_encrypt, 207 aes_xts_decrypt, 208 aes_xts_setkey, 209 aes_xts_zerokey, 210 aes_xts_reinit 211}; 212 213struct enc_xform enc_xform_arc4 = { 214 CRYPTO_ARC4, "ARC4", 215 1, 1, 32, 216 NULL, 217 NULL, 218 NULL, 219 NULL, 220 NULL 221}; 222 223struct enc_xform enc_xform_camellia = { 224 CRYPTO_CAMELLIA_CBC, "Camellia", 225 CAMELLIA_BLOCK_LEN, 8, 32, 226 cml_encrypt, 227 cml_decrypt, 228 cml_setkey, 229 cml_zerokey, 230 NULL 231}; 232 233/* Authentication instances */ 234struct auth_hash auth_hash_null = { 235 CRYPTO_NULL_HMAC, "NULL-HMAC", 236 0, NULL_HASH_LEN, NULL_HMAC_BLOCK_LEN, sizeof(int), /* NB: context isn't used */ 237 null_init, null_update, null_final 238}; 239 240struct auth_hash auth_hash_hmac_md5 = { 241 CRYPTO_MD5_HMAC, "HMAC-MD5", 242 16, MD5_HASH_LEN, MD5_HMAC_BLOCK_LEN, sizeof(MD5_CTX), 243 (void (*) (void *)) MD5Init, MD5Update_int, 244 (void (*) (u_int8_t *, void *)) MD5Final 245}; 246 247struct auth_hash auth_hash_hmac_sha1 = { 248 CRYPTO_SHA1_HMAC, "HMAC-SHA1", 249 20, SHA1_HASH_LEN, SHA1_HMAC_BLOCK_LEN, sizeof(SHA1_CTX), 250 SHA1Init_int, SHA1Update_int, SHA1Final_int 251}; 252 253struct auth_hash auth_hash_hmac_ripemd_160 = { 254 CRYPTO_RIPEMD160_HMAC, "HMAC-RIPEMD-160", 255 20, RIPEMD160_HASH_LEN, RIPEMD160_HMAC_BLOCK_LEN, sizeof(RMD160_CTX), 256 (void (*)(void *)) RMD160Init, RMD160Update_int, 257 (void (*)(u_int8_t *, void *)) RMD160Final 258}; 259 260struct auth_hash auth_hash_key_md5 = { 261 CRYPTO_MD5_KPDK, "Keyed MD5", 262 0, MD5_KPDK_HASH_LEN, 0, sizeof(MD5_CTX), 263 (void (*)(void *)) MD5Init, MD5Update_int, 264 (void (*)(u_int8_t *, void *)) MD5Final 265}; 266 267struct auth_hash auth_hash_key_sha1 = { 268 CRYPTO_SHA1_KPDK, "Keyed SHA1", 269 0, SHA1_KPDK_HASH_LEN, 0, sizeof(SHA1_CTX), 270 SHA1Init_int, SHA1Update_int, SHA1Final_int 271}; 272 273struct auth_hash auth_hash_hmac_sha2_256 = { 274 CRYPTO_SHA2_256_HMAC, "HMAC-SHA2-256", 275 32, SHA2_256_HASH_LEN, SHA2_256_HMAC_BLOCK_LEN, sizeof(SHA256_CTX), 276 (void (*)(void *)) SHA256_Init, SHA256Update_int, 277 (void (*)(u_int8_t *, void *)) SHA256_Final 278}; 279 280struct auth_hash auth_hash_hmac_sha2_384 = { 281 CRYPTO_SHA2_384_HMAC, "HMAC-SHA2-384", 282 48, SHA2_384_HASH_LEN, SHA2_384_HMAC_BLOCK_LEN, sizeof(SHA384_CTX), 283 (void (*)(void *)) SHA384_Init, SHA384Update_int, 284 (void (*)(u_int8_t *, void *)) SHA384_Final 285}; 286 287struct auth_hash auth_hash_hmac_sha2_512 = { 288 CRYPTO_SHA2_512_HMAC, "HMAC-SHA2-512", 289 64, SHA2_512_HASH_LEN, SHA2_512_HMAC_BLOCK_LEN, sizeof(SHA512_CTX), 290 (void (*)(void *)) SHA512_Init, SHA512Update_int, 291 (void (*)(u_int8_t *, void *)) SHA512_Final 292}; 293 294/* Compression instance */ 295struct comp_algo comp_algo_deflate = { 296 CRYPTO_DEFLATE_COMP, "Deflate", 297 90, deflate_compress, 298 deflate_decompress 299}; 300 301/* 302 * Encryption wrapper routines. 303 */ 304static void 305null_encrypt(caddr_t key, u_int8_t *blk) 306{ 307} 308static void 309null_decrypt(caddr_t key, u_int8_t *blk) 310{ 311} 312static int 313null_setkey(u_int8_t **sched, u_int8_t *key, int len) 314{ 315 *sched = NULL; 316 return 0; 317} 318static void 319null_zerokey(u_int8_t **sched) 320{ 321 *sched = NULL; 322} 323 324static void 325des1_encrypt(caddr_t key, u_int8_t *blk) 326{ 327 des_cblock *cb = (des_cblock *) blk; 328 des_key_schedule *p = (des_key_schedule *) key; 329 330 des_ecb_encrypt(cb, cb, p[0], DES_ENCRYPT); 331} 332 333static void 334des1_decrypt(caddr_t key, u_int8_t *blk) 335{ 336 des_cblock *cb = (des_cblock *) blk; 337 des_key_schedule *p = (des_key_schedule *) key; 338 339 des_ecb_encrypt(cb, cb, p[0], DES_DECRYPT); 340} 341 342static int 343des1_setkey(u_int8_t **sched, u_int8_t *key, int len) 344{ 345 des_key_schedule *p; 346 int err; 347 348 p = malloc(sizeof (des_key_schedule), 349 M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 350 if (p != NULL) { 351 des_set_key((des_cblock *) key, p[0]); 352 err = 0; 353 } else 354 err = ENOMEM; 355 *sched = (u_int8_t *) p; 356 return err; 357} 358 359static void 360des1_zerokey(u_int8_t **sched) 361{ 362 bzero(*sched, sizeof (des_key_schedule)); 363 free(*sched, M_CRYPTO_DATA); 364 *sched = NULL; 365} 366 367static void 368des3_encrypt(caddr_t key, u_int8_t *blk) 369{ 370 des_cblock *cb = (des_cblock *) blk; 371 des_key_schedule *p = (des_key_schedule *) key; 372 373 des_ecb3_encrypt(cb, cb, p[0], p[1], p[2], DES_ENCRYPT); 374} 375 376static void 377des3_decrypt(caddr_t key, u_int8_t *blk) 378{ 379 des_cblock *cb = (des_cblock *) blk; 380 des_key_schedule *p = (des_key_schedule *) key; 381 382 des_ecb3_encrypt(cb, cb, p[0], p[1], p[2], DES_DECRYPT); 383} 384 385static int 386des3_setkey(u_int8_t **sched, u_int8_t *key, int len) 387{ 388 des_key_schedule *p; 389 int err; 390 391 p = malloc(3*sizeof (des_key_schedule), 392 M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 393 if (p != NULL) { 394 des_set_key((des_cblock *)(key + 0), p[0]); 395 des_set_key((des_cblock *)(key + 8), p[1]); 396 des_set_key((des_cblock *)(key + 16), p[2]); 397 err = 0; 398 } else 399 err = ENOMEM; 400 *sched = (u_int8_t *) p; 401 return err; 402} 403 404static void 405des3_zerokey(u_int8_t **sched) 406{ 407 bzero(*sched, 3*sizeof (des_key_schedule)); 408 free(*sched, M_CRYPTO_DATA); 409 *sched = NULL; 410} 411 412static void 413blf_encrypt(caddr_t key, u_int8_t *blk) 414{ 415 BF_LONG t[2]; 416 417 memcpy(t, blk, sizeof (t)); 418 t[0] = ntohl(t[0]); 419 t[1] = ntohl(t[1]); 420 /* NB: BF_encrypt expects the block in host order! */ 421 BF_encrypt(t, (BF_KEY *) key); 422 t[0] = htonl(t[0]); 423 t[1] = htonl(t[1]); 424 memcpy(blk, t, sizeof (t)); 425} 426 427static void 428blf_decrypt(caddr_t key, u_int8_t *blk) 429{ 430 BF_LONG t[2]; 431 432 memcpy(t, blk, sizeof (t)); 433 t[0] = ntohl(t[0]); 434 t[1] = ntohl(t[1]); 435 /* NB: BF_decrypt expects the block in host order! */ 436 BF_decrypt(t, (BF_KEY *) key); 437 t[0] = htonl(t[0]); 438 t[1] = htonl(t[1]); 439 memcpy(blk, t, sizeof (t)); 440} 441 442static int 443blf_setkey(u_int8_t **sched, u_int8_t *key, int len) 444{ 445 int err; 446 447 *sched = malloc(sizeof(BF_KEY), 448 M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 449 if (*sched != NULL) { 450 BF_set_key((BF_KEY *) *sched, len, key); 451 err = 0; 452 } else 453 err = ENOMEM; 454 return err; 455} 456 457static void 458blf_zerokey(u_int8_t **sched) 459{ 460 bzero(*sched, sizeof(BF_KEY)); 461 free(*sched, M_CRYPTO_DATA); 462 *sched = NULL; 463} 464 465static void 466cast5_encrypt(caddr_t key, u_int8_t *blk) 467{ 468 cast_encrypt((cast_key *) key, blk, blk); 469} 470 471static void 472cast5_decrypt(caddr_t key, u_int8_t *blk) 473{ 474 cast_decrypt((cast_key *) key, blk, blk); 475} 476 477static int 478cast5_setkey(u_int8_t **sched, u_int8_t *key, int len) 479{ 480 int err; 481 482 *sched = malloc(sizeof(cast_key), M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 483 if (*sched != NULL) { 484 cast_setkey((cast_key *)*sched, key, len); 485 err = 0; 486 } else 487 err = ENOMEM; 488 return err; 489} 490 491static void 492cast5_zerokey(u_int8_t **sched) 493{ 494 bzero(*sched, sizeof(cast_key)); 495 free(*sched, M_CRYPTO_DATA); 496 *sched = NULL; 497} 498 499static void 500skipjack_encrypt(caddr_t key, u_int8_t *blk) 501{ 502 skipjack_forwards(blk, blk, (u_int8_t **) key); 503} 504 505static void 506skipjack_decrypt(caddr_t key, u_int8_t *blk) 507{ 508 skipjack_backwards(blk, blk, (u_int8_t **) key); 509} 510 511static int 512skipjack_setkey(u_int8_t **sched, u_int8_t *key, int len) 513{ 514 int err; 515 516 /* NB: allocate all the memory that's needed at once */ 517 *sched = malloc(10 * (sizeof(u_int8_t *) + 0x100), 518 M_CRYPTO_DATA, M_NOWAIT|M_ZERO); 519 if (*sched != NULL) { 520 u_int8_t** key_tables = (u_int8_t**) *sched; 521 u_int8_t* table = (u_int8_t*) &key_tables[10]; 522 int k; 523 524 for (k = 0; k < 10; k++) { 525 key_tables[k] = table; 526 table += 0x100; 527 } 528 subkey_table_gen(key, (u_int8_t **) *sched); 529 err = 0; 530 } else 531 err = ENOMEM; 532 return err; 533} 534 535static void 536skipjack_zerokey(u_int8_t **sched) 537{ 538 bzero(*sched, 10 * (sizeof(u_int8_t *) + 0x100)); 539 free(*sched, M_CRYPTO_DATA); 540 *sched = NULL; 541} 542 543static void 544rijndael128_encrypt(caddr_t key, u_int8_t *blk) 545{ 546 rijndael_encrypt((rijndael_ctx *) key, (u_char *) blk, (u_char *) blk); 547} 548 549static void 550rijndael128_decrypt(caddr_t key, u_int8_t *blk) 551{ 552 rijndael_decrypt(((rijndael_ctx *) key), (u_char *) blk, 553 (u_char *) blk); 554} 555 556static int 557rijndael128_setkey(u_int8_t **sched, u_int8_t *key, int len) 558{ 559 int err; 560 561 if (len != 16 && len != 24 && len != 32) 562 return (EINVAL); 563 *sched = malloc(sizeof(rijndael_ctx), M_CRYPTO_DATA, 564 M_NOWAIT|M_ZERO); 565 if (*sched != NULL) { 566 rijndael_set_key((rijndael_ctx *) *sched, (u_char *) key, 567 len * 8); 568 err = 0; 569 } else 570 err = ENOMEM; 571 return err; 572} 573 574static void 575rijndael128_zerokey(u_int8_t **sched) 576{ 577 bzero(*sched, sizeof(rijndael_ctx)); 578 free(*sched, M_CRYPTO_DATA); 579 *sched = NULL; 580} 581 582#define AES_XTS_BLOCKSIZE 16 583#define AES_XTS_IVSIZE 8 584#define AES_XTS_ALPHA 0x87 /* GF(2^128) generator polynomial */ 585 586struct aes_xts_ctx { 587 rijndael_ctx key1; 588 rijndael_ctx key2; 589 u_int8_t tweak[AES_XTS_BLOCKSIZE]; 590}; 591 592void 593aes_xts_reinit(caddr_t key, u_int8_t *iv) 594{ 595 struct aes_xts_ctx *ctx = (struct aes_xts_ctx *)key; 596 u_int64_t blocknum; 597 u_int i; 598 599 /* 600 * Prepare tweak as E_k2(IV). IV is specified as LE representation 601 * of a 64-bit block number which we allow to be passed in directly. 602 */ 603 bcopy(iv, &blocknum, AES_XTS_IVSIZE); 604 for (i = 0; i < AES_XTS_IVSIZE; i++) { 605 ctx->tweak[i] = blocknum & 0xff; 606 blocknum >>= 8; 607 } 608 /* Last 64 bits of IV are always zero */ 609 bzero(ctx->tweak + AES_XTS_IVSIZE, AES_XTS_IVSIZE); 610 611 rijndael_encrypt(&ctx->key2, ctx->tweak, ctx->tweak); 612} 613 614static void 615aes_xts_crypt(struct aes_xts_ctx *ctx, u_int8_t *data, u_int do_encrypt) 616{ 617 u_int8_t block[AES_XTS_BLOCKSIZE]; 618 u_int i, carry_in, carry_out; 619 620 for (i = 0; i < AES_XTS_BLOCKSIZE; i++) 621 block[i] = data[i] ^ ctx->tweak[i]; 622 623 if (do_encrypt) 624 rijndael_encrypt(&ctx->key1, block, data); 625 else 626 rijndael_decrypt(&ctx->key1, block, data); 627 628 for (i = 0; i < AES_XTS_BLOCKSIZE; i++) 629 data[i] ^= ctx->tweak[i]; 630 631 /* Exponentiate tweak */ 632 carry_in = 0; 633 for (i = 0; i < AES_XTS_BLOCKSIZE; i++) { 634 carry_out = ctx->tweak[i] & 0x80; 635 ctx->tweak[i] = (ctx->tweak[i] << 1) | (carry_in ? 1 : 0); 636 carry_in = carry_out; 637 } 638 if (carry_in) 639 ctx->tweak[0] ^= AES_XTS_ALPHA; 640 bzero(block, sizeof(block)); 641} 642 643void 644aes_xts_encrypt(caddr_t key, u_int8_t *data) 645{ 646 aes_xts_crypt((struct aes_xts_ctx *)key, data, 1); 647} 648 649void 650aes_xts_decrypt(caddr_t key, u_int8_t *data) 651{ 652 aes_xts_crypt((struct aes_xts_ctx *)key, data, 0); 653} 654 655int 656aes_xts_setkey(u_int8_t **sched, u_int8_t *key, int len) 657{ 658 struct aes_xts_ctx *ctx; 659 660 if (len != 32 && len != 64) 661 return EINVAL; 662 663 *sched = malloc(sizeof(struct aes_xts_ctx), M_CRYPTO_DATA, 664 M_NOWAIT | M_ZERO); 665 if (*sched == NULL) 666 return ENOMEM; 667 ctx = (struct aes_xts_ctx *)*sched; 668 669 rijndael_set_key(&ctx->key1, key, len * 4); 670 rijndael_set_key(&ctx->key2, key + (len / 2), len * 4); 671 672 return 0; 673} 674 675void 676aes_xts_zerokey(u_int8_t **sched) 677{ 678 bzero(*sched, sizeof(struct aes_xts_ctx)); 679 free(*sched, M_CRYPTO_DATA); 680 *sched = NULL; 681} 682 683static void 684cml_encrypt(caddr_t key, u_int8_t *blk) 685{ 686 camellia_encrypt((camellia_ctx *) key, (u_char *) blk, (u_char *) blk); 687} 688 689static void 690cml_decrypt(caddr_t key, u_int8_t *blk) 691{ 692 camellia_decrypt(((camellia_ctx *) key), (u_char *) blk, 693 (u_char *) blk); 694} 695 696static int 697cml_setkey(u_int8_t **sched, u_int8_t *key, int len) 698{ 699 int err; 700 701 if (len != 16 && len != 24 && len != 32) 702 return (EINVAL); 703 *sched = malloc(sizeof(camellia_ctx), M_CRYPTO_DATA, 704 M_NOWAIT|M_ZERO); 705 if (*sched != NULL) { 706 camellia_set_key((camellia_ctx *) *sched, (u_char *) key, 707 len * 8); 708 err = 0; 709 } else 710 err = ENOMEM; 711 return err; 712} 713 714static void 715cml_zerokey(u_int8_t **sched) 716{ 717 bzero(*sched, sizeof(camellia_ctx)); 718 free(*sched, M_CRYPTO_DATA); 719 *sched = NULL; 720} 721 722/* 723 * And now for auth. 724 */ 725 726static void 727null_init(void *ctx) 728{ 729} 730 731static int 732null_update(void *ctx, u_int8_t *buf, u_int16_t len) 733{ 734 return 0; 735} 736 737static void 738null_final(u_int8_t *buf, void *ctx) 739{ 740 if (buf != (u_int8_t *) 0) 741 bzero(buf, 12); 742} 743 744static int 745RMD160Update_int(void *ctx, u_int8_t *buf, u_int16_t len) 746{ 747 RMD160Update(ctx, buf, len); 748 return 0; 749} 750 751static int 752MD5Update_int(void *ctx, u_int8_t *buf, u_int16_t len) 753{ 754 MD5Update(ctx, buf, len); 755 return 0; 756} 757 758static void 759SHA1Init_int(void *ctx) 760{ 761 SHA1Init(ctx); 762} 763 764static int 765SHA1Update_int(void *ctx, u_int8_t *buf, u_int16_t len) 766{ 767 SHA1Update(ctx, buf, len); 768 return 0; 769} 770 771static void 772SHA1Final_int(u_int8_t *blk, void *ctx) 773{ 774 SHA1Final(blk, ctx); 775} 776 777static int 778SHA256Update_int(void *ctx, u_int8_t *buf, u_int16_t len) 779{ 780 SHA256_Update(ctx, buf, len); 781 return 0; 782} 783 784static int 785SHA384Update_int(void *ctx, u_int8_t *buf, u_int16_t len) 786{ 787 SHA384_Update(ctx, buf, len); 788 return 0; 789} 790 791static int 792SHA512Update_int(void *ctx, u_int8_t *buf, u_int16_t len) 793{ 794 SHA512_Update(ctx, buf, len); 795 return 0; 796} 797 798/* 799 * And compression 800 */ 801 802static u_int32_t 803deflate_compress(data, size, out) 804 u_int8_t *data; 805 u_int32_t size; 806 u_int8_t **out; 807{ 808 return deflate_global(data, size, 0, out); 809} 810 811static u_int32_t 812deflate_decompress(data, size, out) 813 u_int8_t *data; 814 u_int32_t size; 815 u_int8_t **out; 816{ 817 return deflate_global(data, size, 1, out); 818} 819